MHA Consulting BCM Metrics – Resiliency Through …...Critical Success Factor (CSF) – Element...
Transcript of MHA Consulting BCM Metrics – Resiliency Through …...Critical Success Factor (CSF) – Element...
© 2009 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
0
Presented by: Michael Herrera, CBCP
March, 2013
MHA Consulting BCM Metrics – Resiliency Through Measurement
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
� Overview
� A Menu of Standards
� Trends in Today’s Standards
� Reality in Today’s Environment
� What Standard Do We Choose?
� MHA’s Approach
� Tier 1 & Tier 2 Metrics
� Practical Application
1Agenda
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
2Experience & Qualifications
Who We Are
WhatWe Do
WhatMakes
Us Different
“MHA combines the strengths of the large consulting companies and independent
alternatives … without compromise”Michael Herrera
CEO, MHA Consulting
� Leading boutique consulting firm since 1999
� Provider of consulting services to Fortune 1000 companies across the USA
� Proven cross-industry experience in Business Continuity, Disaster Recovery
and IT Optimization
� Business Continuity Planning
� Disaster Recovery Planning
� Physical Security Consulting
� Information Technology Optimization & Best Practices
� Data Center Moves & Relocations
� Experienced professionals that possess a unique blend of knowledge
� Experience combines focus, dedication and independence of a specialty firm
� Proven methodologies and tools
� Financial and management stability
� Domestic presence and deep skill-sets of the Big 4 or larger consulting firm
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
MetroWaterDistrict
3Experience & Qualifications
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
4
BCM Metrics
BCM Metrics
“If you don't know where you are going, any road will get you there.”
Lewis Carroll
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
A Menu of Standards
1. British Standard (BS 25999)
2. National Fire Protection Act (NFPA) 1600
3. ASIS Organizational Resilience Standard
4. Disaster Recovery Institute International G.A.P.
5. Federal Financial Inst Examination Council (FFEIC)
6. International Std for Organization (ISO) 27001
7. Health Insurance Portability & Account Act (HIPAA)
8. Information Technology
Infrastructure Library (ITIL)
9. North American Electric
Reliability Council (NERC)
10.Business Continuity Institute (BCI) Good
Practices
5
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
What do the Standards Address?
� Management Oversight
� Budget
� Policy
� Threat & Risk Assessment
� Business Impact Analysis
� Recovery Strategy Development
6
� Business Continuity Planning
� Disaster Recovery Planning
� Crisis/Incident Management
� Training
� Testing & Validation
� Maintenance
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Trends in Today’s Standards
1. Core objectives remain the same
2. Higher level of specificity and sophistication
3. Reflect lessons learned from major disasters
4. Address higher-level of customer/client expectations
5. Reflect greater demands of up-time and timely response
6. Permitting the BCM
process to be more
clearly auditable and certifiable
7
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
The Reality in Today’s Environment
1. Too many standards; can be difficult to understand
2. Very few, if any, use standards and metrics at all
3. Most struggle with just choosing a standard
4. Many are under false security their program can recover or do not know where critical gaps exist
5. Management does not understand BCM standards
6. Compliance doesn’t always mean you can recover your business
7. Auditors / customers are increasingly sophisticated in their line of questioning and understanding of BCM
8
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
So Which One Should I Use?
� Majority are specific to an industry or a company in a particular commission or entity.
� Determine if your company falls under requirement of any BCM regulations.
� Standards represent focuses such as ISO, ITIL, etc.
� There are standards and practices that cover overall BCM development and management without any single/specific focus, such as:
– British Standards: BS 25999
– The Disaster Recovery Institute International (DRII):
“Business Continuity Planning Professional Practices
9
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
10
Tier 1 & 2 Metrics
How MHA Implemented Metrics
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Characteristics of Sound Metrics
1. Persistent: Outcome of a given action at one time will be similar to the outcome of the same action at another time.
2. Predictive: There is a causal relationship between the action the statistic measures and the desired outcome.
3. Sound Metrics:
� Measure skills that are persistent
� Distinguish between skill and luck
� Predict the result you are seeking
Source: Harvard Business Review – “The True Measure of Success Oct 2012”
11
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
MHA’s Approach
1. Selected DRII “Business Continuity Planning Professional Practices” as our baseline.
2. Compiled a composite set of questions addressing overall BCM management.
3. Also incorporated questions from leading standards and practices (e.g., BS25999, NFPA 1600, etc.).
4. Its realistic for the majority, if not all, of the industries we work with and for today.
5. Easy to understand and implement.
12
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
MHA’s Approach
1. Using DRII subject areas, we created two tiers of metrics to assess program compliance and capability:
� Tier 1 – Assess underpinnings of the program� Tier 2 – Assess demonstrated ability to to recover
1. Created questions for each tier for the following subject areas:
� Program Administration – Tier 1� Crisis Management – Tier 1 and 2� Business Recovery – Tier 1 and 2� Disaster Recovery – Tier 1 and 2
2. Implemented weighting and compliance scoring for each question to permit measurement of
performance.
13
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
MHA’s Approach
� Critical Success Factor (CSF) – Element critical to the
service and maps to department objectives.
� Key Performance Indicator (KPI) – Measures level of
compliance with the CSF.
14
� CSF Weighting: (6-Critical, 3-Moderate, 1-Low)
� KPI Compliance: (0-None, 1-Low, 2-Moderate, 3-Fully Compliant
1. Each question consists of two parts:
2. Added weighting and compliance scores:
� Multiplying the CSF weight time the KPI compliance scores
gives you the readiness score for that question.
� Adding up all scores in an area gives you the readiness level
for the subject area.
3. Readiness Score & Level
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Oversight Questions – Sample 15
1. CSF: Executive assigned as sponsor/owner of the BCM program.
KPI: Assigned and regularly participating in active oversight of the program.- Select Score -
2. CSF: Executives assigned to provide management oversight function for the BCM program.
KPI: Assigned and holding regular meetings to review BCM status, issues, etc.- Select Score -
3. CSF: Executives assigned to management oversight are representative of the organization.
KPI:Executives include representation from key organizational departments, parts and
functions
- Select Score -
4. CSF: Dedicated internal or external resources assigned to implement the BCM program.
KPI: BCM Office created, person(s) assigned and roles/responsibilities defined.- Select Score -
5. CSF: Dedicated internal or external resources actively managing the BCM program.
KPI:BCM Office has sufficient authority and resources to actively manage and maintain the
program
- Select Score -
6. CSF: Dedicated internal or external resources assigned to implement the IT Disaster Recovery
Planning (DRP) program
KPI: IT DRP Office created, person(s) assigned and roles/responsibilities defined.
- Select Score -
7. CSF: Dedicated internal or external resources actively managing the IT DR program
KPI:IT DR Office has sufficient authority and resources to actively manage and maintain the
program
- Select Score -
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
BIA Questions – Sample 16
1. CSF: Business Impact Analysis studies conducted to determine impacts of an outage.
KPI: Studies are conducted a minimum of every two years for each business unit.- Select Score -
2. CSF: Business Impact Analysis questionnaire is tailored to the organization.
KPI:Questionnaire is consistent with industry best practices and the needs of the
organization.
- Select Score -
3. CSF: Business Impact Analysis questionnaire identifies the financial impacts of an outage.
KPI: Quantitative impacts of not performing business processes over time are measured.- Select Score -
4. CSF: Business Impact Analysis questionnaire identifies non-financial impacts of an outage.
KPI: Qualitative impacts of not performing a business process over time are measured.- Select Score -
5. CSF:Business Impact Analysis questionnaire identifies critical systems and applications of the
organization.
KPI: Critical systems and applications used by each business process are identified by the
questionnaire.
- Select Score -
6. CSF: Business Impact Analysis questionnaire identifies interdependencies.
KPI:Internal and external business process interdependencies are identified by the
questionnaire.
- Select Score -
7. CSF: Business Impact Analysis questionnaire identifies Recovery Time Objectives (RTOs).
KPI:The time to recover each business process and associated computer
systems/applications is determined.
- Select Score -
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Policy Questions – Sample 17
1. CSF: BCM policy is committed to best practices.
KPI: Policy has statements to comply with accepted industry best practices and standards.- Select Score -
C
2. CSF: BCM policy is committed to continual improvement.
KPI: Policy has statements to address risk prevention, reduction and mitigation.- Select Score -
C
3. CSF:BCM policy is committed to alignment with organizational legal and regulatory
requirements
KPI:Policy has statement(s) to comply with applicable organizational legal and regulatory
requirements.
- Select Score -
C
4. CSF: BCM policy is approved and maintained.
KPI:Policy is approved by senior management, reviewed at regularly scheduled intervals
and/or when significant changes occur.
- Select Score -
C
5. CSF: BCM policy communicated to the organization.
KPI:Policy existence and responsibility to comply with is communicated to all employees of
the organization.
- Select Score -
C
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Tier 1 Program Admin Metrics 18
Program Administration Metrics
BCM Office Exists, experience, training, certifications, etc.
BCM Policy Documented, approved, enforced, maintained, etc.
Budget Line item, multi-year, appropriate, etc.
Oversight Sponsor, oversight group, regularly meets, etc.
Metrics Standard adopted, regular, approved, etc.
BIAConsistent with best practices, regular, approved, etc.
Threat AssessmentConsistent with best practices, regular, approved, etc.
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Tier 1 Program Admin Metrics 19
Program Administration Metrics
Recovery StrategiesAligned with BIA, management approved, realistic to needs, maintained, etc.
Recovery ExercisesStandardized approach, regularly scheduled,
business process focused, etc.
Maintenance Standardized, regular, approved, enforced, etc.
Training & Awareness Multi-level, regular, approved, enforced, etc.
Document Repository Secure, houses key documents, auditable, etc.
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Tier 1 CM, BRP and DRP Metrics 20
Tier 1 CM, BRP and DRP Metrics
Crisis ManagementUse team approach, enlists operational command centers, standardized plan, holds regular exercises, communication tools and plans, etc.
Business Recovery Aligns with BIA, follows team approach, uses recovery strategy standards, enlists standard template, follows testing standards, etc.
Disaster RecoveryAligns with BIA, follows team approach, uses recovery strategy standards, enlists standard template, follows testing standards, etc.
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
21
Sample Tier 1 Questions & Reporting
How MHA Implemented Metrics
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Tier 2 CM, BRP and DRP Readiness Metrics 22
Tier 2 CM, BRP and DRP Metrics
Crisis Management
Command Center Readiness, Notification System Readiness, Level of Mock Exercise Performed, Training Readiness, Supply Readiness, etc.
Business Unit Recovery PlansBIA Completed, Plan Documented, Level of Exercise Performed, Training Readiness, Supply Readiness, etc.
Disaster Recovery Plans
BIA Completed, Plan Documented, Level of Infrastructure/Application Exercise Performed/Demonstrated, RTO/RPO Met, etc.
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Summary
1. Standards
� Pick one that works for your organization.
� You may need to create your own tool.
2. Tier 1 Metrics
� Assesses underpinnings of the program.
� Does not assess true recovery capabilities.
3. Tier 2 Metrics
� Assesses recovery capability of key components (Crisis
Management, Business Recovery, Disaster Recovery).
� Requires additional in-depth objective assessment of these
areas.
4. Past Experiences
� Tier 1 versus Tier 2.
� Be prepared for pushback or less than truthful answers.
23
© 2009 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
24
Presented by: Michael Herrera, CBCP
March, 2013
MHA Consulting Applying Tier 2 Metrics to Disaster Recovery
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Applying Tier 2 DR Metrics – Agenda 25
� Traditional Metrics
� Metrics that Make a Difference
� Implementing Tier 2 Metrics
� Management Reporting
� Conclusion
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Disaster Recovery Program Metrics
1. Two Types of Metrics
� Basic and Advanced
2. Basic Metrics Examples
� %’age of Applications that have Test Plans
� %’age of Applications Tested w/in RTO Targets
� %’age of Applications Backed Up
3. Advanced Metrics
� Measures Overall Health, Usefulness and Reliability of the Recovery Program
26
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Basic DR Metrics Examples 27
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
MHA’s Approach
1. Built advanced metrics to assess Overall Health,
Usefulness and Reliability of the DR Program.
2. Assess infrastructure and application recoverability.
3. Present dashboard of recoverability for management.
4. Its realistic for the majority, if not all, of the industries we
work with and for today.
5. Easy to understand and implement.
28
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Advanced Metrics – Examples 29
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Advanced Metrics – Infrastructure 30
Period Risk Red Zone Yellow Zone
Q3 2011 0.0 50 78
Q4 2011 40.0 50 78
Q1 2012 40.0 50 78
Q2 2012 40.0 50 78
Infrastructure
0.0
20.0
40.0
60.0
80.0
100.0
Q3
2011
Q4
2011
Q1
2012
Q2
2012
Infrastructure Risk
Infrastructure Yellow
Zone
Infrastructure Red
Zone
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Metrics that Make a Difference 31
Tier 2 DR Infrastructure / Application Readiness Metrics
Recovery SiteEstablished, connected, tested, in or out region, integrated with CM and SDLC, etc.
NetworkCan recover voice/data, sized properly, capacity tested, time to switch, etc.
StorageCapacity met, performance adequate, no capacity issues, etc.
Data ManagementOffsite copies, replicated updates, in-synch with
business, etc.
Desktop ImagesImage available, maintained, integrated with CM &
SDLC.
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Metrics that Make a Difference 32
Tier 2 Infrastructure/Application Readiness Metrics
Application Access
Unlimited access by IT and business, VPN
and otherwise, no performance degradation,
capacity tested, etc.
Systems at Recovery SiteAdequate equipment, integrated with CM &
SDLC, sizing, performance, etc.
Security at Recovery SitePhysical and logical security in place and
operational.
Application Recovery Plans
BIA Completed, Plan Documented, Level of Application Exercise Performed, RTO/RPO Met, Training Readiness, integrated with CM and SDLC, etc.
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
33
Sample Tier 2 Questions & Reporting
MHA Metric Implementation
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Generating Advanced Metrics – Infrastructure 34
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Generating Advanced Metrics – Infrastructure 35
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
–
36Generating Advanced Metrics – Applications
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
–
Generating Advanced Metrics – Applications 37
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Metrics that Make A Difference 38
These metrics present a real world picture of your recovery capability based on what is in place and been exercised.
EXECUTIVE DASHBOARD
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Implementing Tier 2 Metrics
Internal Team Support
1. DR Coordinator
2. Data Backup & Offsite Storage
3. Data and Voice Network
4. Storage
5. Desktop
6. Infrastructure
7. Applications
39
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Implementing Tier 2 Metrics
Create Assessment Questions
40
STORAGE
Level 0: Insufficient Storage Exists at Recovery Site for a Complete Restore of all Data
Level 1: Sufficient Storage Exists, But Restore Times Takes Too Long to Meet RTO Objectives
Level 2: Sufficient Storage Exists, Restore Times Meets RTO Objectives, Performance of Storage Less Than Adequate
Level 3: Sufficient Storage, Restore Times Meet RTO, Performance Adequate, Cannot Meet Daily Backup Requirements
Level 4: Sufficient Storage, Restore Times Meet RTO, Performance Adequate, Daily Backups Meet Requirements, Near or At Capacity
Level 5: Sufficient Storage, Restore Times Meet RTO, Performance Adequate, Daily Backups Meet Requirements, No Capacity Issues
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Implementing Tier 2 Metrics
Create Assessment Questions
41
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Implementing Tier 2 Metrics
1. Create Questions for Each Area to be Measured.
2. Measure Compliance for Each Area.
3. Weight Questions Based on Importance.
4. Calculate Maturity Levels.
5. Create Simplistic
Graphs to Show Capability.
42
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Reporting the Results
1. Produce One Page Executive Dashboard
2. Create Supporting Detail Reports as Needed
3. Weight Questions Based on Importance
4. Zero in on Red and Yellow Zone Issues
5. Teach Management to Focus on Tier 2
6. Be Prepared to Defend Your Analysis
7. If You Spend A lot of Dollars and the Metrics Show Low Capability, Figure Out What is Wrong!
8. If You Don’t Spend A lot of Dollars and the Metrics Show Low Capability, Ask for More Money in the Key Areas that are Weak
43
Key Considerations
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Metrics that Make A Difference 44
These metrics present a real world picture of your recovery capability based on what is in place and been exercised.
EXECUTIVE DASHBOARD
TIER 2 DISASTER RECOVERY METRICS
© 2012 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.
Further Questions?
If you have questions about what we’ve covered or BCM related inquiries, please call or email:
Michael Herrera
Phone: 602.708.1718
Email: [email protected]
17